Georg Lutz wrote:
On 2005-08-24, David Gomillion wrote:
Can we implement a feature that allows us to set a variable that determines
if the Display link even appears? From the original email, it looks like
they are asserting that using the Display link will allow arbitrary code to
run on the server, which is never a good thing.
How should it be possible to run arbitrary code on the server ???
I think the cross-site scripting concern is that the attachment may be a
file (such as HTML) that includes commands (maybe javascript) that could
interact with SQwebmail to do things that the user wouldn't like. It
might be possible to delete all of a user's mail from javascript, for
instance.
The code would execute in the user's browser, but the context of
execution may give it access to the sqwebmail functions.
-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
